Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."

Back in the later months of 2001 we experienced a gradual realization that there was something quite amiss about our government's response to terrorist threats which resulted in the disaster of September of that year. It turns out that not only did we know that there would be a terrorist attack, but we had credible leads indicating who and how it would be carried out. But the lack of information sharing led to disaster.

Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.

This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.

This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.

Oh they'll have an answer for that -- just buy McAfee's "protection".

Remember- your Mac is spreading viruses, even if it's not infected.... Be ashamed!

I doubt McAfee has any solutions that fix the security hole in phpBB that is being exploited here. Their scanner might prevent you from installing the payload on the linked site, however, assuming you passed by your browser's warning that you're potentially installing something dangerous.The bigger problem is people installing the "codec" on their computers to watch the porn video. Isn't there enough porn available for free that you can watch already?

Hi mods. Even though the parent is just living his nickname, this is not offtopic.. it's insightful IMHO, sure you could overrate it but it doesn't matter now since I'm already sacrificing a kitten because you made me post this...

How about this plan: anybody, who wishes to maintain an Internet-reachable computer, needs to be licensed (or hire someone, who is). I mean, we require licenses and/or permits to alter plumbing in a house or to add a porch — aren't botnets [usatoday.com] more threatening to the country, than an improperly placed pipe here and there?

Since most attacks originate from abroad, we could relax the rule by applying it only to those, who wish to be reachable from outside US (rather than be automatically firewalled by thei

I'd tend to agree, actually. But, I think, it is inconsistent to require licensing for driving a car and not require it for Internet connection. There will soon be time, when a hacker will be responsible for a death — if it has not happened already...

A botnet targeting a 911 server or a utility company, or a swatting [wikipedia.org] gone really wrong...

In many cases, the hackers are using other people's PCs without their knowledge — a clueless person making their PC reachable from the Internet is about as d

In many cases, the hackers are using other people's PCs without their knowledge -- a clueless person making their PC reachable from the Internet is about as dangerous as an unlicensed driver on the highway...

Please post even a single reference to an actual death or injury that could have been prevented by licensing internet access.

What we need to do is spend less money confiscating water bottles and more detecting and prosecuting people exploiting PCs.

Licensing people would being its own can of worms. First, unless one handed out smartcards and passed legislation to have CAC or a similar smart card readers on every desktop and laptop, it would give identity thieves another easy target because most likely it would be implemented by requiring people to punch in an "Internet license number" for access to websites, similar to how Korea requires your residence registration number if you want to create an account on a website there. Of course, this info is e

Yeah, it really sucks, that regular people can not drive their own cars any more, and are forced to take big corporation-owned buses, does not it?

If the bus and taxi lobby were as big as telecom, that would be exactly the case. Also keep in mind that there are way too many registered voters who want to drive but not so many that want to run a server.

For a properly maintained phpBB site, this isn't that big of a deal. As a maintainer for a site which uses phpBB, I can tell you that I have seen this attempted for months. I believe phpBB is mentioned directly because it seems there are programs which allow individuals to create forum accounts and post messages using an automated script. The scripts post messages to visit a (usually) pornographic site. Once you connect you are presented with a page with a display which mimics YouTube.com, however a pop

While I agree that the synopsis leaves something to be desired, inserting political diatribe equally lacking in factual detail does not improve the situation. I'm not sure who you're trying to score points on that cares but can we stick to the topic at hand or is that just too much to ask?

Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.

I always thought the news were to report news, and that the knowledge itself was stored somewhere else.

I'd like to report another case then. Last week I read news about a new book, and the book was not printed in the papers. Actually, the news didn't even tell me where to buy the book.

Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.

We know exactly how it spreads: php. Don't get me wrong, php is a good language as of 5.x. However, to write something in it that's not simple to exploit you actually have to know what you're doing, which is not the case the for majority of php developers. Look at the majority of php code out there, it's no surprise at all why it's so security plagued: the developers simply have no clue and php doesn't protect you. Hell, even many tutorials out there have security exploits in them.

That's bullshit, phpBB was hit ~2-3 years ago with the self propogating worm Santy, which exploited a bug in a PHP function (unserialize IIRC). phpBB was essentially a victim--the bug was in PHP itself, and phpBB is a widely deployed open source BB, and the developers had removed all usage of the compromised function after the bug was disclosed and before the Santy worm hit. (Site owners who failed to upgrade were hit, a large percentage.)

We don't run phpBB. Is it just me, or is phpBB almost always the target of these kinds of attacks? I mean, there are probably hundreds of CMS systems out there, but almost every mass site hijacking/defacement I can remember has involved phpBB.

It's targeted because it is so popular. All of the attacks that are publicized are on boards using outdated software. When more details come out, I'll bet that every single board will be several versions out of date.

I do not believe anyone really knows what market share the various forums have, but it is generally believed that the most popular are Simple Machines, phpBB, vBulletin, and Invision Power Board (in no particular order).

I cannot believe that phpBB has so many successful attacks simply because it has a large installation base, otherwise these other forum softwares would also be suffering the same fate.

The problem is the phpBB developers just don't much care. I say this as someone using it for years now. Just a few months ago I found some dangerous file permissions in it, reported those, and got brushed aside with a response like "If it were an important security issue the core developers would have already taken care of it."Fscking idiots. I still use it. But I've done extensive custom patching to make it (relatively) safe. The project maintainers just can't be bothered to listen to criticism and get sma

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Except that popularity != exploitability. Many people think that software is like a safe - if you grind at it long enough, eventually it'll open. Software isn't like that. You can grind at software forever and it won't change anything unless you actually find a vulnerability - a case not handled by the software.

For example, MySQL is much more popular online than Microsoft SQL. Yet MS-SQL gave rise to the slammer worm [google.com] while the vastly-more-commonly-installed MySQL has not ever been infected by anything anywhere near the same magnitude. (Yes, there have been a few. They didn't get very far)

The formula is NOT:Popularity = Exploited.

It's more likePopularity * Bad Design = Exploited.

And even bad software can eventually be cleaned up. Sendmail used to be a security nightmare. But despite its position as the #1 mail server software on the Internet, it's been quite a few years since any serious vulns were exploited.

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

It's not so much that as it is the fact that phpBB 1.x/2.x have a appalling number of security flaws. It's wildly insecure, so much so that there's actually a mod (crackertracker) designed to help harden installations against the inevitable attacks.

I'd be willing to bet that most of the phpBB installs were 1.x/2.x -- the phpBB team actually paid for an audit of the 3.x line, and so far it seems to be much more secure code.

The problem with phpBB is it's so damned hard to upgrade. There's no plugin architecture - 'plugins' are done by hand-modifying the code (and the changes aren't even sent as diffs, they're instructions that must be hand applied).Because of this even a minor upgrade is about a days work whilst everything is re-applied and retested. It's hell if you have any custom themes - because you have to basically recreate it from scratch because again the themes are hooked into the core code and themes for one versio

You are wrong. I set up and have maintained a phpBB-based website, heavily modded, for the past three years. All upgrades area available as diffs. They apply with a single patch command. Patching goes smoothly; only a few hunks fail that need to be done manually (and remember, mine is heavily modded) which is quite simple. I've never had to recereate anything.

In my experience (I work for a large webhost), osCommerce and Joomla/Mambo (and most of their stupid useless 3rd party components) are far worse than phpBB. The biggest problem for (old versions of) phpBB is that it's an easy target for spambots.

I call bullshit on your Joomla claim. Show some stats. Looking at Security Focus I see less for Joomla than many other CMS platforms and almost none for 3rd party components. Truth is, Joomla team is extremely proactive in patching issues with their software, which is more than can be said for lots of pay-for webapps.

I hadn't noticed such concentration of phpBB as a target,but there are numerous popular web packages that make no attempt to properly manage security. Even Bugzilla, with its setup tools and database passwords in plain site inside the directories with the Bugzilla software itself and accessible on a casually installed Apache server, treats security as a tacked-on afterghought. Subversion is no better, with its quiet practice of storing your passwords for HTTP, HTTPS, or svnserve access in plain-text in the

Oh, I use svn+ssh for my Subversion on Sourceforge, and refuse to use the standard password based HTTP or HTTPS access. SSL key management to make user-authorized HTTPS connections is also feasible. But such uses are not well documented: the svn+ssh examples, for example, do not include the use of the necessary flags tags to identify the name of the repository user, and they absolutely should unless you want all your SVN checkouts to be in the name of the same target SSH user. Yet the Subversion documentati

My old phpBB forum got hacked. Wanna know why? Cuz I used the auto-installing plugin that my host provided. It was about 20 versions behind and they NEVER updated it. So it had a gaping security hole in it. And guess what else! I couldn't patch it because it was considered some sort of embedded plugin that I couldn't tocuh the system files of. I had to install a fresh, updated version and phpBB and then copy the database over AND alter the database manually to reflect all the changes between between versions, which was a major pain in the ass. Needless to say I was pissed. Oh and I tried to sue/have arrested those Zone-H assholes that posted it like it was some sort of trophy case but apparently they're not hosted in the US so I dropped it.
I would be willing to guess that every single hack was because of outdated phpBB quick installs like ipowerweb makes available on their servers.

I've never been comfortable with those auto-installers and cpanel tools and now I have good reason to dislike them. Did you have an option to upload and install your own scripts/CGIs? I'm using a host with SSH access. Sure it costs a bit more but the extra level of control is worth every penny.

You tried to sue/arrest Zone-H? What are you, an idiot? THEY didn't hack your insecure website. They just reported on it. I suppose you'd also sue the local newspaper if they ran a story on your hacked website.

Does a light bulb dim in the minds of some computer users at the prospect of free pornography? It is the easiest thing in the world to get free porn online, why is installing something on your computer from a porn website all of a sudden appealing when a pop up window seduces you into it? I have a new term for this, it is called getting "FreePwned."

Very true, I imagine (or atleast hope) that if a normal person saw such a thing as free porn, they'd get rid of it immediately. This hack though can have a devastating effect though if done right. Imagine trying to see a Youtube Video someone posted on your forum only to find you need to upgrade Flash... and then discover that "upgrade" was a trojan.
Thank god hackers (and nerds in general) are total pervs.

I read both those articles and got the impression that the attack was 'social engineering' meaning that phpBB's only role was to allow someone to post a URL to a site which actually hacked the stupid victims. There is no specific mention of any exploit.

For the longest time phpBB did not even have the option to force users to authenticate their email address let alone use any captcha on the registration page. For this reason many existing phpBB forums are flooded with fake accounts, and possible these were used in order to post the links or malware.

From another site I read regularly, a forum member posted the following (the link was recently taken down, but I checked it at the time and it's absolutely true):

Some years ago I registered www.confuse.me.uk with some intention of doing something or other with it. Part of that was going to be a forum which I set up, then never had time to do anything more with it.

I took a look today and I have 14,140 members, 8,358 threads and 22,914 posts and each and everyone one of them is spam. Spammers replying to spambots replying to spammers.

The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.

According to this video [avertlabs.com], the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.

Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3.

According to this video, the pages are being inserted via SQL injection attacks.

When this news broke last night (my local time), my heart skipped a beat because one of my phpBB instances isn't totally up to date, so I did a quick bit of research to see if I could fill in the massive blanks left by this report. Yes, it does look like an SQL injection attack: the attack appends a SCRIPT tag to the forum's main title, which is inserted into various locations on every page from a database field. Due to one thing and another this results in some hideously malformed HTML, but it has the desired effect (of executing the Javascript) in the major browsers. I suspect that the search in question is a Google "intitle:" search which keys off the domain name of the site carrying the exploit code, since this becomes a visible part of the title.

I have no idea exactly how the SQL injection is being effected, but my phpBB forum was not impacted. This may be because my version is not too old, because I lack a vulnerable add-on module, or because my custom anti-bot mechanisms deflected the attack. I couldn't see anything in the past few days of log activity which contained key strings used in the exploit, but I didn't search very hard once I determined that my instance was unaffected.

But I've made some modifications to my install. I replaced the registration and profile pages with a web form that posts to an Email parser. There was a lot of activity the last few days, spam registrations out the yang.

It's funny because to them it looks like the registration page and they keep running scripts against it. I block the IP ranges of the spam registrations at the boundary but they just keep block hopping.

They'll still get a script reg through sometimes, so there's something I'm missing. I could just install the security updates but it's so much more fun to try and tweak it myself.

Actually, that's not quite true: my brother's website was abused like this, which resulted in Google referrals warning that "this site contains malicious software". His company ranking was Number 1 in every Google search for his type of service. It's proving very expensive for him.

Or dont!
Give phpBB3 at least until June (6 months from release) to be fully tested in the wild as you would with any major system upgrade. I remember the "fun" had upgrading from 1.4.4 to 2.0.0 back a few years ago. Lessons learned.
However, worth noting phpBB2 had an upgrade issued only a month ago up to version 2.0.23 - maybe they knew something ?

Most of us can say phpBB or even the 1000s of php based 'pre-packaged' web sites out there are disasters waiting to happen. Either being poorly coded, not keeping up to date with the latest patches or able to use the current secure versions of PHP, etc.The problem here is most of the people using this software has limited HTML/Web programming skills and find these as easy solutions to what they want, a site for their MMO Clan, their band, etc.

"This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates."
Ahem...
"This contrasts [Thursday's] attack in that the vast majority of those were active server pages (.ASP)," explained McAfee researcher Craig Schmugar on a company blog posting."
From - http://www.itnews.com.au/News/72214,second-mass-hack-exposed.aspx [itnews.com.au]

First, I'm not sure if your talking ASP or ASP.Net, but either way the vast majority of your comment can be shortened to:There are lots of PHP packages out there. People think they are safe because they are not MS. PHP packages should be re-written in ASP. PHP breaks due to updates but ASP updates better, therefore ASP is a better choice. PHP isn't inherently insecure, it's the packages.

Your entire statement boils down to this logic:1) There are a lot of insecure Packages in PHP3) It's not an insecurity in PHP, it's an insecurity in the packages2) ASP updates better than PHP

Your comparing apples (ASP) to oranges (PHP Packages). I have no experience how well or poorly the security of packages in PHP perform against the security of packages in ASP.Net, we would have to pick a large pool of them to find out. And just because Windows Updates makes updates available for ASP.Net does not mean that people actually are that willing to reboot their web farms for every update that appears. Your saying the problem is bad coding and that ASP solves it, I would beg to differ.

And here is my anecdotal comment:I have answered thousands of ASP questions (ASP used to be my primary web 'language') as well as written/re-written many sites and over time I have seen a lot of site examples and snippets that would leave a page wide open or in a position to break on regular occasions (or just plain didn't work). On the other hand I have worked with several PHP packages that were solidly put together and worked against a range of PHP versions. PHP must be better because I haven't personally seen anywhere near as many errors in coding as I have in ASP. None of the first several thousand ASP posts would work at all against the next version of the language (ASP 3 => ASP.Net) and needed to be rewritten from scratch, but most or all of the packages I used with PHP 4 worked just fine with PHP 5.

The kicker with mainstream ASP is it requires an IIS server and Windows server is not always cheap or the cheapest hosting solution for these same users.

I know lots of people have problems with GoDaddy, but their ASP/IIS hosting is the same price as their LAMP hosting. For the basic cheapo package (which should be sufficient for the uses you mention), that's only $4 a month.

This is the kind of thing that really upsets me. I mean, if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune, instead of using them to fsck up other peoples' websites? that sort of behavior ain't cool. in fact, it's decidedly uncool and people who act that way should be banished to a big island for criminals, like Australia.

Granted PHPBB was hacked because it's poorly written and these sites were likely not kept up to date, but... these kinds of success large scale attacks really don't do much to show how much more secure open source software is - even very popular FOSS like this!

Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.

Yeah, it's OSS, but it's crap. There are quite a few open-source boards that are written with security in mind -- but up until the 3.x branch of phpBB, security was hardly even an afterthought. Same thing with Wordpress. Just because it's popular open source software doesn't mean it's indicative of the level of quality found throughout all open source projects.

Yeah, it's really quite unfortunate. They really need to work on security, and make it easier to upgrade automatically (for sites with no full-time admins, like I imagine most of these were).

I'm a big FLOSS advocate, but seriously I see so many people on places like slashdot saying "run FLOSS because it's more secure than proprietary software." I don't see huge headlines about vBulletin getting hundreds of thousands of breakins, even though "powered by vbulletin" gets three millions hits.

Looking through my 404 logs I get a bunch of kiddie auto scripts either looking to BB spam or hack in, here are some items which I figure are popular entry routes:

///include/print_category.php/forum/index.php/bbs/include/print_category.php/functions.php/board/index.php/forums/index.php/phpbb2/index.php//calendar//tools/send_reminders.php//skin/zero_vote/error.php (lots of these)/skin/zero_vote/ask_password.php//support/mailling/maillist/inc/initdb.php (a few of these)/function.main/comments.php/MSOffice/cltreq.asp/cgi-bin/bbs/read.cgi//include/write.php

As reported in Secunia [secunia.com], the SQL injection bug was found in Fully Modded phpBB on 12-Mar, see here [milw0rm.com].

The Fully Modded phpBB [phpbbfm.net] website is down, but it is basically a fork or extension of the base phpBB code, which remains secure.

I know I've labored the point about phpBB not being vulnerable to this kind of attack, but it really is built from the ground up for security. This exploit does not affect phpBB, just the heavily modified for "Fully Modded phpBB".

Yeah, I installed it way back in the days and forgot it was on my website. I have now gotten several emails from my domain host stating attacks on it using an exploit in phpBB.

Which is why you're supposed to upgrade. The article is incredibly short and doesn't specify, but I'd be willing to bet the exploit was one that has already been patched/revealed.

At least with this attack the computer savvy not running NoScript or the like will be able to avoid getting hit with the payload. And now, time to check to make sure my ASP pages haven't been attacked...

yes, I was wondering the same. suppose one had a site with phpbb installed and wanted to check if their site was one of those compromised. how would one go about that? tfa doesn't mention. it seems somehow half-assed to publish that several tens of thousands of sites have been compromised, yet not provide any useful information regarding detection, cleaning and prevention.

Tell him to set up power saving correctly. Although my computer needs to stay connected to the mains for suspend to ram to work. It's to most intensive purposes "turned off". Takes 7 seconds (at most) to go to sleep and a few seconds wake up and I never have a problem.

My Cable Modem (Motorola Sb5101) has an "Internet Standby" button on it - apparently, when you press it, it prevents any data transfer in or out but keeps the modem itself connected to the provider etc.

At least I think that's what it does - I've never actually used it, as the cable modem is outside my hardware firewall anyway.

You can disable the connection to the internet in your modem's driver options (or ethernet port's driver's options...) or your computer's network settings. Leaving a link to the settings on your desktop ensures you won't forget to turn it back on when you come back to your computer after going out to do whatever the hell anyone would do without a computer (buy a new moniter?).Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect. B